Description

This curriculum spans the design and operational execution of threat mitigation programs comparable to multi-workshop security transformation initiatives, addressing technical, procedural, and governance challenges seen in large-scale corporate environments.

Module 1: Threat Landscape Assessment and Intelligence Integration

Selecting and onboarding commercial threat intelligence feeds based on industry relevance, data format compatibility, and update frequency.
Mapping observed threat actor tactics, techniques, and procedures (TTPs) to MITRE ATT&CK for internal risk profiling.
Establishing thresholds for automated ingestion of external indicators of compromise (IOCs) into SIEM and EDR platforms.
Developing internal processes to triage and validate threat intelligence reports from ISACs and government agencies.
Integrating dark web monitoring outputs into incident response playbooks without overwhelming analyst resources.
Defining ownership and escalation paths for newly identified zero-day vulnerabilities affecting core business systems.

Module 2: Identity and Access Control Hardening

Implementing just-in-time (JIT) privileged access for third-party vendors with time-bound approvals and session logging.
Enforcing conditional access policies in hybrid environments where legacy applications do not support modern authentication.
Deciding between on-premises Active Directory federation and cloud-only identity models during migration planning.
Managing service account lifecycle and credential rotation in containerized and serverless environments.
Designing role-based access control (RBAC) hierarchies that align with job functions while minimizing privilege creep.
Responding to anomalous sign-in patterns by balancing automated account lockout with business continuity needs.

Module 3: Endpoint Detection and Response (EDR) Deployment

Selecting EDR agents based on kernel-level visibility requirements versus system performance impact on user devices.
Configuring detection rules to reduce false positives from legitimate software while maintaining threat coverage.
Establishing secure communication channels between EDR agents and central console in segmented network environments.
Defining forensic data collection scope during incident investigations to comply with privacy regulations.
Coordinating EDR integration with existing antivirus and DLP solutions to avoid tool conflict and redundancy.
Developing rollback procedures for EDR agent updates that cause system instability in production environments.

Module 4: Network Security Architecture and Segmentation

Designing micro-segmentation policies for critical applications without introducing latency in transaction processing.
Implementing east-west traffic monitoring in virtualized data centers using NetFlow or packet mirroring.
Choosing between inline IPS and passive IDS based on network throughput requirements and remediation speed.
Updating firewall rule sets to reflect application decommissioning while maintaining audit compliance.
Enabling TLS 1.3 inspection on next-gen firewalls without degrading user experience or violating privacy policies.
Documenting and justifying exceptions to default-deny policies for business-critical legacy systems.

Module 5: Incident Response Orchestration and Playbook Execution

Activating incident response teams based on predefined severity criteria without causing organizational disruption.
Preserving volatile memory and disk images from compromised systems while minimizing business downtime.
Coordinating containment actions across cloud, on-premises, and SaaS environments during a multi-vector attack.
Deciding whether to isolate infected endpoints or allow controlled monitoring for threat intelligence gathering.
Engaging legal and public relations teams during incident response while maintaining evidence integrity.
Conducting post-incident tabletop exercises to validate playbook effectiveness and update response procedures.

Module 6: Vulnerability Management and Patch Orchestration

Prioritizing patch deployment based on exploit availability, asset criticality, and attack surface exposure.
Scheduling out-of-band patches for internet-facing systems during low-usage windows to reduce downtime risk.
Managing exceptions for systems that cannot be patched due to application incompatibility or vendor support gaps.
Integrating automated vulnerability scanning into CI/CD pipelines without delaying software releases.
Validating patch efficacy by re-scanning systems and confirming remediation in configuration management databases.
Coordinating patch testing across development, staging, and production environments with limited QA resources.

Module 7: Security Governance and Compliance Alignment

Mapping internal security controls to regulatory frameworks such as GDPR, HIPAA, or SOX for audit readiness.
Documenting risk acceptance decisions for unmitigated vulnerabilities with executive sign-off and review cycles.
Conducting third-party risk assessments for cloud providers using standardized questionnaires and on-site audits.
Updating security policies to reflect changes in remote work infrastructure and endpoint ownership models.
Reporting security metrics to board members using risk-based KPIs instead of technical incident counts.
Reconciling conflicting control requirements between multiple compliance standards applied to the same system.

Module 8: Threat Hunting and Proactive Defense Operations

Designing hypothesis-driven hunts based on recent industry breaches and internal telemetry gaps.
Allocating analyst time between proactive hunting and reactive alert triage in resource-constrained teams.
Using PowerShell and Python scripts to extract and analyze logs from non-SIEM data sources.
Validating detection gaps by simulating adversary behavior in production-like environments.
Documenting and sharing newly discovered TTPs with peer organizations through trusted ISAC channels.
Measuring hunt effectiveness by tracking mean time to detect (MTTD) for previously unknown threats.